KR20150069435A - Apparatus and method for controlling security module - Google Patents

Apparatus and method for controlling security module Download PDF

Info

Publication number
KR20150069435A
KR20150069435A KR1020130155833A KR20130155833A KR20150069435A KR 20150069435 A KR20150069435 A KR 20150069435A KR 1020130155833 A KR1020130155833 A KR 1020130155833A KR 20130155833 A KR20130155833 A KR 20130155833A KR 20150069435 A KR20150069435 A KR 20150069435A
Authority
KR
South Korea
Prior art keywords
security module
usim
module
security
terminal
Prior art date
Application number
KR1020130155833A
Other languages
Korean (ko)
Inventor
김영세
전용성
주홍일
윤승용
김정녀
Original Assignee
한국전자통신연구원
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 한국전자통신연구원 filed Critical 한국전자통신연구원
Priority to KR1020130155833A priority Critical patent/KR20150069435A/en
Publication of KR20150069435A publication Critical patent/KR20150069435A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/77Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in smart cards

Abstract

The present invention relates to an apparatus and a method for controlling a hardware security module applicable for the security of a mobile terminal and a USIM module, which is used as an authentication module for subscribers of 3G mobile communications to be executed at the same time within a USIM card apparatus. The method for controlling a security module comprises the steps of: a security module controlling apparatus receiving a command from a terminal; upon receipt of a command via a serial communication, controlling and operating a USIM execution code corresponding to the serial communication; upon receipt of a command via a USB communication, controlling and operating a security module execution code corresponding to the USB communication; and upon completion of all operations of the USIM execution code or the security module execution code, transmitting a reply corresponding to the completed execution code to the terminal.

Description

[0001] APPARATUS AND METHOD FOR CONTROLLING SECURITY MODULE [0002]

The present invention relates to an apparatus and a method for reconfiguring an executable file in a virtualized environment, and more particularly, to a device for controlling a security module used as a subscriber authentication module of 3G mobile communication and a hardware security module applied for security of a mobile terminal, It is about the method.

The mobile communication terminal evolved into a smart phone and evolved into an open system not only for voice / text communication but also for installing and using various services. However, the development of such smartphones also increases the number of malicious attacks using security vulnerabilities, which causes various security threats such as hacking, malicious code, and smashing to become a problem.

Accordingly, various security techniques corresponding to security threats are being developed, and it is the strongest security technique to perform a security function by applying a separate hardware security module among various security techniques.

There are two main ways to apply the hardware security module. One is a device mounted on the device itself such as a mobile trunk module (MTM) which can not be attached or detached, and the other is an external device capable of attaching and detaching such as a universal subscriber identity module (USIM). Both devices have different main purpose in security function as different hardware types, especially external devices are easy to apply.

This type of external hardware security module is a micro-SD card type security module. In general, Android-based smartphones support micro SD cards for memory expansion, and it is a security SD card that uses an external device called a micro SD card as a security module. The security SD card has a CPU-based embedded system added to the security function of the SD card which is composed of the conventional memory and the SD controller. In this case, the embedded system added is the IC Card-based system. Since the IC card has already been used for a long time and its safety and security have been verified, a secure SD card is implemented by applying the existing IC card system instead of applying a completely new system.

The security SD card thus implemented has an advantage that the security function can be applied while using the existing SD card as it is, while the security system is applied in the limited SD card, and the memory size is reduced. In other words, if a user uses a secure SD card, the value of the SD card called memory expansion must be abandoned to a considerable extent.

In fact, smartphones basically include USIM, which performs subscriber authentication in 3G network. Here, since the subscriber authentication performed by the USIM is also a security function, the USIM has a value as one security module. In addition, the USIM is an embedded system based on an IC card system like a secure SD card, and it has almost the same structure in a hardware SD card and its configuration. In fact, the ability to install and use a variety of applications on a Java-based USIM, an open operating system, was also a major advantage for users in a closed system-based mobile phone that was difficult to install service applications freely prior to smartphones. In order to develop more high capacity USIMs and to enable faster communication with mobile terminals, USIM standard has been developed to include USB in order to enable USB communication instead of existing serial communication.

There is also a technology that uses the USIM to provide functions other than USB, for example, the MTM function. For example, Korean Patent Laid-Open No. 10-2010-0065723 entitled " Method and apparatus for providing a mobile trust module function "uses a USIM that provides a shielding area, protection capability, and physical security, And the MTM function is provided in the mobile communication terminal.

However, as the era of smart terminals such as smart phones comes, users do not have to run services in USIM. If only the service is taken into consideration, a smart terminal having a computing power that can not be compared with the USIM can install a variety of services and execute at a higher speed. In other words, the USIM can now be said to perform only the unique function of subscriber authentication.

In other words, a security SD card added with a security function to the SD card for the purpose of using a communication interface for applying an external security module, or a USIM card that only functions as a subscriber authentication, In terms of the hardware system, the security SD card has a problem of memory size loss, and USIM card has a disadvantage of wasting system resources.

It is an object of the present invention to provide a device and a method for controlling a USIM module used as a subscriber authentication module of a 3G mobile communication and a hardware security module applied for security of a mobile terminal to be executed in a USIM card device .

According to an aspect of the present invention,

The security module control device receiving an instruction from the terminal; Controlling the USIM executable code corresponding to the serial communication to operate when the command is received through the serial communication; Controlling the operation of the security module executable code corresponding to the USB communication when the command is received through the USB communication; And transmitting the response corresponding to the completed execution code to the terminal when the operation of the first USIM execution code or the security module execution code is completed.

According to the present invention, the security module control apparatus can process the functions of the security module with only one USIM module. Therefore, there is no restriction on interface or memory size caused by using a separate external device such as a secure SD card, and without using a USB interface and utilizing a spare resource of the USIM to add a new hardware security module, It is possible to apply the security module to the security module.

The present invention also relates to a method and system for managing an execution code area using a conventional hardware device by using characteristics of a USIM and a security module operating in a command / Since the integrated security module is implemented through separation, the price increase due to the addition or upgrade of the device does not occur.

In addition, when the security module is added to the existing USIM module as one software and included as part of the USIM executable code, the same protocol as that of the USIM should be used, and the security module also has a dependency to be implemented on the same OS as the USIM. Since the invention is completely separate from the software, it is also advantageous that the implementation of the security module is independent of the USIM. In addition, it has an advantage that it is applicable to a terminal that does not support an external memory because there is no SD card slot.

According to the present invention, the security module control apparatus can process the functions of the security module with only one USIM module. Therefore, there is no restriction on interface or memory size caused by using a separate external device such as a secure SD card, and without using a USB interface and utilizing a spare resource of the USIM to add a new hardware security module, It is possible to apply the security module to the security module.
The present invention also relates to a method and system for managing an execution code area using a conventional hardware device by using characteristics of a USIM and a security module operating in a command / Since the integrated security module is implemented through separation, the price increase due to the addition or upgrade of the device does not occur.
In addition, when the security module is added to the existing USIM module as one software and included as part of the USIM executable code, the same protocol as that of the USIM should be used, and the security module also has a dependency to be implemented on the same OS as the USIM. Since the invention is completely separate from the software, it is also advantageous that the implementation of the security module is independent of the USIM. In addition, it has an advantage that it is applicable to a terminal that does not support an external memory because there is no SD card slot.

The present invention will now be described in detail with reference to the accompanying drawings. Hereinafter, a repeated description, a known function that may obscure the gist of the present invention, and a detailed description of the configuration will be omitted. Embodiments of the present invention are provided to more fully describe the present invention to those skilled in the art. Accordingly, the shapes and sizes of the elements in the drawings and the like can be exaggerated for clarity.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, a security module control apparatus and method according to a preferred embodiment of the present invention will be described in detail with reference to the accompanying drawings.

First, a terminal to which a security module control device according to a preferred embodiment of the present invention is applied includes a USIM, a voice / data communication using a mobile communication network, a mobile device such as a smart phone .

The security module refers to a hardware-based security module embedded in a terminal or provided as an external device in applying a solution for providing security functions of a terminal. In the case of an external device, a method of providing a secure SD card in order to use an SD card slot of the terminal, which can not add a new interface for data communication with the terminal due to a structural limitation of the terminal, is used. Therefore, the security module is the same as the general SD card in the external shape where the security module is added to the existing SD card, and the security module is included internally, but the memory size is reduced.

Hereinafter, the USIM card corresponds to a device for subscriber authentication in 3G mobile communication, which means that a USIM module for subscriber authentication is installed in a UICC which is a smart card used in a mobile device on a mobile network. Depending on the size, there are various shapes such as Mini-SIM and Micro-SIM. The interface standard of the USIM card is shown in FIG.

Referring to FIG. 1, in the interface standard of the USIM card, C6 does not require additional power due to the low power process, and can be used as an SWP interface for NFC communication. For C4 and C8, it can be used as a USB interface.

The integrated security module adds a security module to the USIM so that the integrated security module can be implemented not only by using two simple hardware methods but also by including a security module function by software in the USIM function, A module for storing a USIM executable code and an execution code area of a security module on a memory in which the generated executable code is stored, and storing the execution code area of the USIM executable code and the executable code area of the security module, respectively. At this time, the executable code of the control module responsible for the selection and control of the USIM and the security module is also included.

The executable code corresponds to an image file composed of a command code mounted on a ROM, a flash memory, or the like so that the hardware device can operate according to the order of commands recorded in the executable code. In the case of a security module or USIM, the developer must implement the functions of the security module or the USIM in the form of source code so that each device can perform the corresponding function, and compile the same with the basic source package of the corresponding hardware And finally generated by machine code that can be read and executed by the cpu of the hardware device.

In the security module control apparatus and method according to the embodiment of the present invention, when a hardware security module for providing a security function to a terminal is applied, a security module is added to an existing USIM instead of adding a new hardware security module , And a control method and apparatus of an integrated security module in which a control module is added to distinguish the USIM and the security module in an interface manner.

Next, a structure of a memory on which an execution code in the security module control device is to be loaded will be described in detail with reference to FIG.

2 is a block diagram schematically showing the structure of a memory on which an executable code in a security module control apparatus according to an embodiment of the present invention is to be installed.

Referring to FIG. 2, the ROM or flash memory 10 includes a security module 100, a USIM module 200, and a control module 300.

The hardware security module 100 is an embedded system that performs specific functions with a CPU, a memory, and the like. Therefore, there is a memory in which an executable code is to be loaded, that is, a ROM or a FLASH memory, and generally one executable code is mounted. In the present invention, however, three executable codes are mounted in the memory 10 as shown in FIG. ROM or the area of the flash memory 10 is divided into physical addresses so as not to overlap the execution codes.

The security module 100 or the USIM module 200 is first executed when the security module 100 or the USIM module 200 is executed by configuring the ROM or the flash memory 10 as shown in FIG. And controls the execution of the module 200.

The control module 300 allows the code of the security module 100 to be executed when the operation of the security module 100 is required and the code of the USIM module 200 to be executed when the operation of the USIM module 200 is required .

The control module 300 according to the embodiment of the present invention corresponds to a security module control device.

Next, the security module control apparatus 300 will be described in detail with reference to FIG.

3 is a block diagram schematically showing a security module control apparatus according to an embodiment of the present invention.

First, the ROM or flash memory 10 includes a security module 100, a USIM module 200, and a control module 300, and the control module 300 corresponds to a security module control device.

The USIM module 200 basically follows the protocol of the command and response structure through the ISO7816 serial communication. That is, the USIM module 200 operates and responds only when a command of the terminal is received, and continues to wait for commands from the terminal.

If the security module 100 has a structure that responds only when a specific command is input from the terminal through the USB interface, the security module 100 that has responded to the received command waits for the next command. If the security module 100 operates when the USIM module 200 operates and data is input through the USB interface when the data is input through the serial communication, the security module 100 and the USIM module 200 It can operate without problems on one hardware.

The USIM module 200 allows two pins to be allocated by USB. That is, by using the USB communication in the security module 100, the terminal recognizes the existing USIM module 200 as a serial device, and allows the security module 100 to be recognized as a USB device. That is, since each of the security module 100 and the USIM module 200 is recognized as an independent device, any operation restriction is not applied to the program using each device.

3, the security module control apparatus 300 includes a control unit 310, a serial communication unit 320, and a USB communication unit 330. [

The security module control apparatus 300 operates using a serial communication unit 320 or a USB communication unit 330 according to a command received according to serial communication or USB communication.

First, the terminal transmits a command to the serial device, that is, the USIM module 200, through the serial communication for authentication of the mobile communication subscriber of the terminal.

Then, the serial communication unit 320 of the security module control apparatus 300 receives the command transmitted by the terminal.

The control unit 310 sends an execution code address corresponding to the serial communication unit 320, that is, a code of the USIM module 200 (= USIM execution code), when the command is completely received through the serial communication unit 320 Move. At this time, the command stored in the serial communication unit 320 is stored in the RAM corresponding to the execution memory by designating the receiving buffer. The RAM area in which the command is stored is set so as to be predefined and accessed by the same address in all executable codes so as to be shared in the security module control device 300. [

The USIM executable code performs an operation corresponding to the received command, stores the response in the transmission buffer previously defined in the RAM, and then moves the next execution code address to the control module.

The control unit 310 checks that the operation of the USIM executable code is completed, transmits the response stored in the transmission buffer through the serial communication unit 320, and then waits for command reception again.

Next, the terminal transmits a command to the USB device, that is, the security module 100 via USB communication, in order to perform a specific security function.

Then, the USB communication unit 330 of the security module control device 300 receives the command transmitted by the terminal.

The control unit 310 controls the USB communication unit 330 so that the execution code corresponding to the USB communication unit 330, that is, the code of the security module 300 (= security module execution code) . At this time, the command stored in the USB communication unit 330 is stored in the RAM corresponding to the execution memory by designating the receiving buffer. The RAM area in which the command is stored is set so as to be predefined and accessed by the same address in all executable codes so as to be shared in the security module control device 300. [

After executing the operation corresponding to the received command, the security module executable code again stores the response in the transmission buffer previously defined in the RAM, and then moves the next execution code address to the control module.

The control unit 310 confirms that the operation of the security module executable code is completed, transmits the response stored in the transmission buffer to the USB communication unit 330, and then waits for command reception again.

 Since the serial communication unit 320 and the USB communication unit 330 operate independently of each other, the security module control unit 300 can determine the priorities of the two modules in advance And controls the security module 100 and the USIM module 200 to operate.

Next, a method for controlling the security module will be described in detail with reference to FIG.

4 is a flowchart illustrating a method for controlling a security module according to an embodiment of the present invention.

First, the ROM or flash memory 10 includes a security module 100, a USIM module 200, and a control module 300, and the control module 300 corresponds to a security module control device 300. The security module control apparatus 300 includes a control unit 310, a serial communication unit 320, and a USB communication unit 330.

Referring to FIG. 4, the control unit 310 of the security module control device 300 determines whether data, that is, an instruction, has been received from the terminal (S100).

When the command is received, the control unit 310 determines whether the command is received through the serial communication unit 320 (S200).

The control unit 310 controls the operation code corresponding to the serial communication unit 320, that is, the code of the USIM module 200 (= USIM execution code) to operate, when receiving the command through the serial communication unit 320 ).

On the other hand, when receiving the command via the USB communication unit 330, rather than the serial communication unit 320, the control unit 310 transmits an execution code corresponding to the USB communication unit 330, that is, a code (= Security module execution code) (S400).

In step S300 or step S400, the USIM executable code or the security module executable code performs an operation corresponding to a command received from the terminal and stores the response in a transmission buffer defined in advance.

Next, the control unit 310 confirms that the operation of the corresponding execution code is completed (S500), and transmits a response corresponding to the completed execution code, that is, a USIM response or a security module response, to the terminal (S600).

As described above, the present invention can process the functions of the security module with only one USIM device. Therefore, there is no restriction on interface or memory size caused by using a separate external device such as a secure SD card, and without using a USB interface and utilizing a spare resource of the USIM to add a new hardware security module, It is possible to apply the security module to the security module.

As described above, an optimal embodiment has been disclosed in the drawings and specification. Although specific terms have been employed herein, they are used for purposes of illustration only and are not intended to limit the scope of the invention as defined in the claims or the claims. Therefore, those skilled in the art will appreciate that various modifications and equivalent embodiments are possible without departing from the scope of the present invention. Accordingly, the true scope of the present invention should be determined by the technical idea of the appended claims.

10; ROM or flash memory 100; Security module
200; USIM module 300; Security module control device
310; A control unit 320; Serial communication section
330; USB communication section

Claims (1)

The security module control device receiving an instruction from the terminal;
Controlling the USIM executable code corresponding to the serial communication to operate when the command is received through the serial communication;
Controlling the operation of the security module executable code corresponding to the USB communication when the command is received through the USB communication; And
When the operation of the USIM execution code or the security module execution code is completed, transmitting a response corresponding to the completed execution code to the terminal through serial communication or USIM communication
And a security module.
KR1020130155833A 2013-12-13 2013-12-13 Apparatus and method for controlling security module KR20150069435A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020130155833A KR20150069435A (en) 2013-12-13 2013-12-13 Apparatus and method for controlling security module

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020130155833A KR20150069435A (en) 2013-12-13 2013-12-13 Apparatus and method for controlling security module

Publications (1)

Publication Number Publication Date
KR20150069435A true KR20150069435A (en) 2015-06-23

Family

ID=53516557

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020130155833A KR20150069435A (en) 2013-12-13 2013-12-13 Apparatus and method for controlling security module

Country Status (1)

Country Link
KR (1) KR20150069435A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20190007039A (en) * 2016-06-10 2019-01-21 기제케+데브리엔트 모바일 서큐리티 게엠베하 Memory management of the security module

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20190007039A (en) * 2016-06-10 2019-01-21 기제케+데브리엔트 모바일 서큐리티 게엠베하 Memory management of the security module
US11205020B2 (en) 2016-06-10 2021-12-21 Giesecke+Devrient Mobile Security Gmbh Memory management of a security module

Similar Documents

Publication Publication Date Title
US9351164B2 (en) Secure NFC routing
CN106465460B (en) Method and apparatus for supporting GLOBALPALATFORM usage on embedded UICCs
US11126753B2 (en) Secure processor chip and terminal device
JP5415493B2 (en) Smart card, and anti-virus system and scanning method using the same
US9635549B2 (en) Providing subscriber identity module function
US10387219B2 (en) Enabling multiple secure elements in a card computing device
US9390259B2 (en) Method for activating an operating system in a security module
CN105592403B (en) NFC-based communication device and method
EP3155554B1 (en) Electronic device, system and method for nfc
EP3333701B1 (en) Method for implementing host card emulation, terminal, and data routing method and apparatus
US20150087235A1 (en) Communication Method and Apparatus for NFC Device and NFC Device
US11907931B2 (en) Method and system for managing virtual electronic card, secure chip, terminal and storage medium
US20200296573A1 (en) Electronic device and method for managing an ic card with multiple sim profiles
KR20150069435A (en) Apparatus and method for controlling security module
US9642010B2 (en) Management server, data processing method, and program
CN108123954B (en) Business handling method and terminal equipment
TW201719395A (en) Smart card and application downloading method thereof
CN109634885B (en) Method and device for communication between mobile terminal and smart card
CN114286345B (en) NFC communication device and method in intelligent terminal
CN111143265B (en) Data transmission method and device based on virtual machine
EP3680822B1 (en) Portable electronic device, non-contact communication system, and non-contact communication method
EP3916548A1 (en) Electronic device and method for controlling electronic device
CN117041960A (en) High-speed communication method, system and equipment based on T-Box Ethernet and SE
US20170230807A1 (en) Method for consulting the status of a resource of an electronic device, associated electronic entity and electronic device provided with such an electronic entity
EP2907070A1 (en) Sim usb interface to external world

Legal Events

Date Code Title Description
WITN Withdrawal due to no request for examination